private BaseSecurityAlertPolicyProperties PopulatePolicyProperties(BaseThreatDetectionPolicyModel model, BaseSecurityAlertPolicyProperties properties) { properties.State = model.ThreatDetectionState.ToString(); properties.EmailAddresses = model.NotificationRecipientsEmails ?? ""; properties.EmailAccountAdmins = model.EmailAdmins ? ThreatDetectionStateType.Enabled.ToString() : ThreatDetectionStateType.Disabled.ToString(); properties.DisabledAlerts = ExtractExcludedDetectionType(model); return properties; }
/// <summary> /// Extracts the detection types from the given model /// </summary> private string ExtractExcludedDetectionType(BaseThreatDetectionPolicyModel model) { if (model.ExcludedDetectionTypes == null) { return null; } if (model.ExcludedDetectionTypes.Any(t => t == DetectionType.None)) { if (model.ExcludedDetectionTypes.Count() == 1) { return string.Empty; } if (model.ExcludedDetectionTypes.Any(t => t != DetectionType.None)) { throw new Exception(Properties.Resources.InvalidDetectionTypeList); } } return string.Join(";", model.ExcludedDetectionTypes.Select(t => t.ToString())); }
/// <summary> /// Updates the given model with all the disabled alerts information /// </summary> private static void ModelizeDisabledAlerts(BaseThreatDetectionPolicyModel model, string disabledAlerts) { Func<string, DetectionType> toDetectionType = (s) => { DetectionType value; Enum.TryParse(s.Trim(), true, out value); return value; }; if (string.IsNullOrEmpty(disabledAlerts)) { model.ExcludedDetectionTypes = new DetectionType[] {}; } else { model.ExcludedDetectionTypes = disabledAlerts.Split(';').Select(toDetectionType).ToArray(); } }
/// <summary> /// Transforms the given database policy object to its cmdlet model representation /// </summary> private BaseThreatDetectionPolicyModel ModelizeThreatDetectionPolicy(BaseSecurityAlertPolicyProperties threatDetectionProperties, BaseThreatDetectionPolicyModel model) { model.ThreatDetectionState = ModelizeThreatDetectionState(threatDetectionProperties.State); model.NotificationRecipientsEmails = threatDetectionProperties.EmailAddresses; model.EmailAdmins = ModelizeThreatDetectionEmailAdmins(threatDetectionProperties.EmailAccountAdmins); ModelizeDisabledAlerts(model, threatDetectionProperties.DisabledAlerts); return model; }
/// <summary> /// Extracts the detection types from the given model /// </summary> private string ExtractExcludedDetectionType(BaseThreatDetectionPolicyModel model) { if (model.ExcludedDetectionTypes == null) { return null; } StringBuilder detectionTypes = new StringBuilder(); if (IsDetectionTypeOn(DetectionType.Sql_Injection, model.ExcludedDetectionTypes)) { detectionTypes.Append(SecurityConstants.Sql_Injection).Append(";"); } if (IsDetectionTypeOn(DetectionType.Sql_Injection_Vulnerability, model.ExcludedDetectionTypes)) { detectionTypes.Append(SecurityConstants.Sql_Injection_Vulnerability).Append(";"); } if (IsDetectionTypeOn(DetectionType.Access_Anomaly, model.ExcludedDetectionTypes)) { detectionTypes.Append(SecurityConstants.Access_Anomaly).Append(";"); } if (IsDetectionTypeOn(DetectionType.Usage_Anomaly, model.ExcludedDetectionTypes)) { detectionTypes.Append(SecurityConstants.Usage_Anomaly).Append(";"); } if (detectionTypes.Length != 0) { detectionTypes.Remove(detectionTypes.Length - 1, 1); // remove trailing semi-colon } return detectionTypes.ToString(); }
/// <summary> /// Extracts the detection types from the given model /// </summary> private string ExtractExcludedDetectionType(BaseThreatDetectionPolicyModel model) { if (model.ExcludedDetectionTypes == null) { return null; } StringBuilder detectionTypes = new StringBuilder(); if (IsDetectionTypeOn(DetectionType.Successful_SQLi, model.ExcludedDetectionTypes)) { detectionTypes.Append(SecurityConstants.Successful_SQLi).Append(";"); } if (IsDetectionTypeOn(DetectionType.Attempted_SQLi, model.ExcludedDetectionTypes)) { detectionTypes.Append(SecurityConstants.Attempted_SQLi).Append(";"); } if (IsDetectionTypeOn(DetectionType.Client_GEO_Anomaly, model.ExcludedDetectionTypes)) { detectionTypes.Append(SecurityConstants.Client_GEO_Anomaly).Append(";"); } if (IsDetectionTypeOn(DetectionType.Failed_Logins_Anomaly, model.ExcludedDetectionTypes)) { detectionTypes.Append(SecurityConstants.Failed_Logins_Anomaly).Append(";"); } if (IsDetectionTypeOn(DetectionType.Failed_Queries_Anomaly, model.ExcludedDetectionTypes)) { detectionTypes.Append(SecurityConstants.Failed_Queries_Anomaly).Append(";"); } if (IsDetectionTypeOn(DetectionType.Data_Extraction_Anomaly, model.ExcludedDetectionTypes)) { detectionTypes.Append(SecurityConstants.Data_Extraction_Anomaly).Append(";"); } if (IsDetectionTypeOn(DetectionType.Data_Alteration_Anomaly, model.ExcludedDetectionTypes)) { detectionTypes.Append(SecurityConstants.Data_Alteration_Anomaly).Append(";"); } if (detectionTypes.Length != 0) { detectionTypes.Remove(detectionTypes.Length - 1, 1); // remove trailing comma } return detectionTypes.ToString(); }